Digital Personal Data Protection Act and Draft Rules

What fintech and payments firms must know to ensure data privacy

Aniket Bhosle

Partner, Cybersecurity Consulting, EY India

5 minute read 09 May 2025
Related topics
Payments
Technology
Cybersecurity
Digital

Fintechs must rethink data roles, compliance, and privacy under the DPDP Act, 2023 and Rules 2025 to balance security, trust and innovation.

In brief

  • Fintechs are essential to the country’s financial services sector. However, the risks they face are amplified by rapid technological advancements and external threats from hired hackers, creating a ripple effect that could affect the entire industry.
  • Prioritizing privacy and security is not just crucial, but also a key driver in building customer trust and strengthening brand reputation. Adopting a privacy-and security-first approach is not only imperative but will act as a key differentiator in driving customer trust and enhance brand value.

As the digital payments ecosystem continues to evolve along with regulatory compliance in India, the fintech sector is not just a participant; it is a driving force behind financial inclusion, innovation and digital transformation. The success of this sector hinges on the consumer experience, and they are looking at two critical elements: security and privacy of data. With the Digital Personal Data Protection (DPDP) Act, 2023 and the recently released Draft Digital Personal Data Protection (DPDP) Rules (2025), the focus is on how this sector will manage to safeguard the large volume of personal data they process.  As fintechs are integral to the financial services landscape in the country, the risks they face are magnified with the advances in technology and ‘for hire’ adversaries, creating a domino effect that can impact the entire financial services sector in the country. Adopting a privacy-and security-first approach is not only imperative for data protection compliance but will act as a key differentiator in driving customer trust and enhance brand value.

The payments intermediaries (aggregators, gateways, etc.) and the card networks are uniquely positioned when it comes to the impact of the Digital Personal Data Protection (DPDP) Act and the Draft Rules. While most of these entities do not have a direct interface with the customer to collect personal data, they are the custodians of large volumes of personal data as payments system operators. While the global organizations operating in India have a lesson or two to borrow from their global privacy playbooks, there are interesting local use cases that need to be analyzed and assessed to determine the role of the payments intermediaries in the data privacy journey.

Welcome to “Gateway to data privacy and protection,” an innovative podcast series that delves deep into the realm of data privacy and protection.

Know more

The role of fintechs and payments intermediaries – Data fiduciary vs. data processor?

 

While the popular view is that fintechs and payments intermediaries would be deemed as data processors, the answer is not really as simple. There are a number of unique use cases and operating models due to which the balance may tilt towards being a fiduciary. While the Digital Personal Data Protection (DPDP) Act does not define the role of a “joint fiduciary”  similar to the “joint controller” in GDPR, there is no restriction on the number of fiduciaries. Service models where the traditional fiduciaries such as banks operate in an outsourced/SaaS model with fintech partners in a ‘co-branded’ manner are a classic scenario where both could be perceived as fiduciaries while the bank continues to own the customer relationship. Similarly, fintechs that provide services related to fraud monitoring, threat intelligence, concierge, tokenization could also be involved in determining the purpose of personal data collection without having a direct customer-facing interface. Hence, while revisiting service contracts is of essence, it is vital for fintechs and payments intermediaries’ privacy teams to agree upon obligations and liabilities in the context of digital personal data protection with the entities that own the customer relationship. Such agreed upon obligations and liabilities will also be applicable to the subcontractors/vendors on-boarded by the fintechs and payments intermediaries and hence adequate due diligence and contracting with them will also be essential.

 

Another area of focus where the responsibilities would be shared between the entities would be that of managing the Data Principal’s rights requests. While the rights of grievance redressal and nomination would typically be handled by the entity managing the customer relationship, the actions coming from requests related to right to access, correction and erasure will need to be addressed by fintechs and payments intermediaries as well. Having an integrated workflow to manage such requests across entities will need both, a service-level agreement (SLA) based governance model as well as a technical implementation to be planned. 

Customer experience and user consent management – A balancing act?

While many customer-facing applications developed by fintechs in recent times have been focused on enhancing customer experience by optimizing a number of clicks, inputs, etc. how they handle notice and user consent management requirements will need to be planned. A three-click onboarding USP for customers is definitely getting a plus one or maybe two. A well-drafted notice by a techno-legal team will help in enhancing customer trust. As we await clarity on the requirements of integrating with Consent Managers, the feasibility of integrating with multiple such entities would need to be evaluated and tested as well as agreed upon with their clients.

In summary, while clarifications and amendments are expected based on the draft rules, fintechs and payments intermediaries’ privacy focus should be on the activity of analyzing use cases and establishing the accountability model across entities. Building technology platforms that are centered around security and privacy-by-design principles will not only become an imperative but also will be a key business driver for these entities. A privacy governance office is needed to drive and sustain the privacy implementation. As awareness will continue to grow in the country, entities will need to scale up their capacity to manage and address Data Principal rights for which implementation of solutions for data discovery and traceability will be key.

Manasi N J – Director, Technology Consulting and Prerna Advani - Director, Technology Consulting have also contributed to the article. 

How EY can help

Related articles

Redefining global privacy: The critical role of India’s GCCs

Explore the growing need for Privacy Centers of Excellence in India's GCCs, leveraging top talent, cost-effective operations, and robust data protection laws. Learn more.

Mubin Shaikh

How companies can secure language models against emerging AI cyber risks

Explore the transformative power of Large Language Models (LLMs) in cybersecurity. Discover advancements, risks, and proactive solutions for a secure AI-driven future.

Mubin Shaikh

Transforming data privacy: Digital Personal Data Protection Rules, 2025

Explore India's Digital Personal Data Protection Rules, 2025, under the DPDPA Act, 2023, enhancing data privacy with clear rights and fiduciary guidelines. Learn more.

EY India

    Summary

    As India continues as a global leader in digital payments adoption— and as digital payments data security remains a key area of focus— it is essential for fintechs and payment intermediaries to adopt industry-leading privacy governance practices, along with robust implementation of security controls, to establish customer trust and comply with the DPDP Act, 2023, and the draft DPDP Rules, 2025.

    About this article

    Aniket Bhosle
    Partner, Cybersecurity Consulting, EY India
    A cybersecurity consultant specializing in financial services, he boasts over 15 years of invaluable expertise.
    Related topics
    Payments
    Technology
    Cybersecurity
    Digital

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.